EPIC Opposes FCC Broadcast Flag Mandate. In comments
to the Federal Communications Commission, EPIC has recommended against the
adoption of a Digital
Television Broadcast Flag mandate unless it incorporates privacy protections
for viewer data. The Broadcast Flag could erode anonymity in consumption
of media and circumvent well-established public policy that protects viewer
data. For more information, see the EFF
BPDG Blog and the EPIC Digital
Rights Management Page. (Dec. 6, 2002)

EPIC Joins DRM Submission to OASIS. In comments
to the Organization for the Advancement of Structured Information Standards
(OASIS), EPIC joined the Samuelson
Law, Technology & Public Policy Clinic in arguing that rights expression
languages (REL) should incorporate fair use and privacy principles. (Aug.
13)

EPIC, EFF Urge House Subcommittee to Consider Risks of DRM. In
a letter
to the House Judiciary Subcommittee on the Courts, the Internet, and Intellectual
Property, EPIC and the Electronic
Frontier Foundation (EFF) urged Members to consider the harms to consumer
and societal rights posed by digital rights management (DRM) technologies.
The Subcommittee will hold a hearing today focusing on the consumer benefits
of DRM, with a panel consisting only of content protection representatives,
and no witnesses to discuss the risks to privacy, fair use, free expression,
or innovation. For more information, see the EPIC Digital
Rights Management and Privacy Page and the EFF Campaign
for Audiovisual Free Expression Page. (June 5, 2002)

Introduction

Digital Rights Management (DRM) systems restrict the use of digital files
in order to protect the interests of copyright holders. DRM technologies can
control file access (number of views, length of views), altering, sharing,
copying, printing, and saving. These technologies may be contained within
the operating system, program software, or in the actual hardware of a device.

DRM systems take two approaches to securing content. The first is "containment,"
an approach where the content is encrypted in a shell so that it can only
be accessed by authorized users. The second is "marking," the practice
of placing a watermark, flag, or a XrML tag on content as a signal to a device
that the media is copy protected. According to Professor Ed Felten, both approaches
are vulnerable to cracking by individuals with "moderate" programming
skills.

DRM technology and legislation requiring the inclusion of copy control systems
pose serious threats to privacy, open source software development, and the
fair use of copyrighted content.

Some DRM technologies have been developed with little regard for privacy
protection. The systems usually require the user to reveal his or her identity
and rights to access protected content. Upon authentication of identity and
rights to the content, the user can access the content.

DRM systems can prevent the anonymous consumption of content. DRM systems
could lead to a standard practice where content owners require all purchasers
of media to identify themselves. In other areas where individuals can borrow
or purchase media, such as video rental stores or libraries, statutory and
ethical protections prevent the transfer of personal information linked to
the content acquired. Such protections do not exist in the music and growing
electronic book markets. In these unregulated areas, artists and authors may
have more difficulty in finding an audience for their work because of the
privacy risks associated with linking identity to content consumption.

In addition to preventing anonymity in access to digital information, DRM
can be used to facilitate profiling of users' preferences or to limit access
to certain content. This is done by assigning an identifier to content or
to the content player, and attaching personal information to the identifier.
For instance, Microsoft's Windows Media Player has an embedded globally-unique
identifier (GUID) to track users. Similarly, Microsoft's eBook Reader requires
the user to "activate" the software and link it to a Passport account.
From there, Microsoft captures a unique hardware identifier of the user's
computer. There is also an activation limit that can stop a user from transferring
an eBook to other computers. This enables Microsoft to prevent users from
sharing books or from reading a book on a different machine.

Also, Windows Media Player creates a log file of the content a user views,
and "phones home" to a central server to obtain content titles.
These technologies mark an important development in the use of copyright law:
copyright can regulate duplication of works to protect content owners. Now,
copyright is being used as a justification to both protect content and to
profile the consumers of content.

Linking personally-identifiable information to content may result in "price
discrimination." Price discrimination is the practice of selling an item
at different costs to different consumers. It can be facilitated where the
seller knows the consumer's identity, and can associate the identity with
a profile that includes financial information on the consumer. DRM systems
may enable content owners to control access to content, but also to adjust
the price of content based on the consumer's identity.

Alternatives exist that would provide copy protection and at the same time
protect privacy. For instance, token and password systems could be used to
authorize a download of digital content. Alternative, non-privacy invasive
solutions have not been explored adequately.

DRM systems that have been designed impinge on users' control and use of
content. Many DRM systems will not allow a user to transfer content to portable
devices, such as MP3 players. In addition, many DRM systems work only with
Windows operating systems to the exclusion of Linux and Macintosh users.

DRM systems may also be designed to actually harm a user's system. One product
in particular, InTether Point-to-Point, can impose "penalties" for
"illegal" uses of files. The program can force a reboot of the user's
computer or destroy the file that the user was attempting to access. A Celine
Dion album released in 2002 by EPIC and Sony records can crash a user's computer
if the disc is inserted in a CD-ROM drive.

DRM may also be referred to as "Content Management Systems" (CMS),
"Content/Copy Protection for Removable Media" (CPRM) or sometimes
as "technological measures."

The Digital Millennium Copyright Act (DMCA) can interfere with a user's ability
to access content. The DMCA is a 1998 law designed to increase copyright holders'
rights. The DMCA created civil and criminal penalties for the creation or
distribution of DRM circumvention tools. As a result, a user attempting to
circumvent copyright protection, even for legitimate reasons, may violate
federal law. The DMCA was the American version of implementing legislation
for a World Intellectual Property Organization treaty.

DRM schemes and laws that require embedding copy protection into devices
endanger the development of open-source software. Open-source software developers
rely on reverse engineering to write programs that can interact with hardware.
This practice is illegal under the DMCA. Additionally, some industry standards
must be "tamper-resistant." "Tamper-resistant" is defined
in such a way that it makes open source implementations noncompliant.

Statutory and Common Law interpretations of copyright law afford individuals
"Fair Use" rights. Fair Use provides a defense to individuals who engage in
an unauthorized use of protected content. It is impossible for DRM systems
to incorporate Fair Use principles because they are difficult to define, and
evolve over time. Fred von Lohmann of the Electronic Frontier Foundation has
argued that for DRM to recognize Fair Use, engineers must be able to program
a federal judge onto a computer chip.

Fair Use allows individuals to interact with content to promote cultural
production, learning, innovation, and equity between content owners and consumers.
Fair Use includes libraries' and educators' rights to provide content to users,
the right to sell physical copies of certain content that one acquires lawfully
(the "First Sale" doctrine), and the ability to make a backup copy of software
and music. No DRM scheme developed affords users these rights.

A Media Consumption Culture Shift: Pay-Per-Use and the Marginalization
of Content Sharing

DRM systems have been presented as a solution to unauthorized copying of
digital content. However, the content industry may have other objectives with
DRM technology. The technology can limit users' interaction with media. Through
limiting interaction, over time, DRM technologies can change users' expectations
about control and use of digital content.

Professor Peter Jaszi has argued that DRM developers may be attempting to
acclimate consumers to a pay-per-use business model. Under such a system,
a fee would be assessed each time digital media is accessed. This business
model could be more lucrative for content controllers.

DRM could also acclimate users to a system where sharing of content is not
permitted. In 1996, Richard Stallman,
President of the Free Software Foundation, painted a picture of a society
with stringent copy controls and a societal rejection of content sharing.
In The
Right to Read, Stallman envisioned a world where copy protection prevented
the anonymous reading of books, lending books to others, or the mere possession
of software tools that could be used to bypass copyright law:

This put Dan in a dilemma. He had to help her--but if he lent her
his computer, she might read his books. Aside from the fact that you could
go to prison for many years for letting someone else read your books,
the very idea shocked him at first. Like everyone, he had been taught
since elementary school that sharing books was nasty and wrong--something
that only pirates would do.
--The Right to Read, Richard Stallman, 1996.

Major DRM Developments

The FCC Broadcast Flag

In August 2002, the FCC issued a notice of proposed rulemaking (NPRM) to
consider whether digital television signals should incorporate a digital broadcast
flag. Such a flag would mark digital content as "protected" and
direct devices to limit individuals' use of the content.

Comments were due December 6, 2002. The Electronic Frontier Foundation runs
a "blog" to share detailed
information about the flag. You can view comments by visiting the FCC
E-Filing Page and entering proceeding 02-230 in the first box.

Representative Howard Berman (D-CA) introduced H.R. 5211 in July 2002. The
bill would allow cybervigilantism in order to stem P2P piracy. The measure
would actually permit copyright owners or their agents to engage in behavior
currently illegal under a computer fraud act in order to interdict filetrading.

The bill authorizes copyright agents to block or otherwise disable file transfers
where there is a reasonable basis to believe that the file traders are engaging
in piracy. Copyright agents' techniques would be shielded from public view--they
will have to notify the Department of Justice of their file blocking plans,
but the techniques would be exempt from open government laws. Individuals
whose file transfers are wrongly blocked would have almost no recourse. A
wronged individual would first have to complain to the Department of Justice
before bringing suit, and in order to prevail in court, the individual would
have to show over $250 in monetary damages and that the copyright agent knowingly
and intentionally blocked a legal file transfer.

The bill is extremely broad, and although it is written to target Napster
or Kazaa-like systems, it could be read as authorization to interfere with
e-mail and instant messaging systems.

In June 2002, Microsoft announced its Palladium project, a project that would
embed DRM into software and hardware. For more information, see the EPIC Palladium
Page.

The SSSCA and the CBDTPA

In September 2001, Senator Fritz Hollings (D-SC) announced plans to introduce
the Security Systems Standards and Certification Act (SSSCA). The SSSCA would
require equipment manufacturers to embed government-approved copy protection
systems into all computer equipment.

In February 2002, Sen. Hollings scheduled hearings to examine the need for
government imposition of standards for digital content protection. During
the hearing, legislators declared that they would introduce legislation to
mandate control requirements if the industry did not develop them. All of
the hearing panelists represented large corporations and there was no testimony
taken from consumer advocates.

In March 2002, Sen. Hollings introduced the Consumer Broadband and Digital
Television Promotion Act (CBDTPA). This copyright control would force manufacturers
to embed copy protection in all devices that can receive digital media. The
Senate Judiciary Committee also held hearings, and is now accepting comments
from the public on the implications of the CBDTPA. Opposition to the CBDTPA
has been vigorous both from individual users and from business interests.

In June 2001, a Russian programmer named Dmitry Sklyarov published a program
that can defeat a DRM technology used to secure Adobe eBooks. In July, at
the behest of Adobe, the Department of Justice arrested Sklyarov for violating
the Digital Millennium Copyright Act (DMCA) shortly after he presented a paper
on cracking Adobe ROT-13 copy protection. Sklyarov remained in jail for several
weeks and has been released on $50,000 bail. The Electronic Frontier Foundation
(EFF) assisted in his defense and in December 2001, federal authorities dropped
charges against him.

Federal authorities have now pursued ElcomSoft, Dmitry Sklyarov's employer.
The case is being litigated in Federal District Court in California.

In April 2001, a team of researchers headed by Princeton Professor Ed Felten
announced that they could defeat a DRM system developed by the Secure Digital
Media Initiative (SDMI). Before presenting their paper, SDMI and the Recording
Industry Artists of America (RIAA) threatened Felten and his team with a lawsuit
under the Digital Millennium Copyright Act (DMCA). Felten's team decided not
to publish the paper. Ultimately, SDMI and RIAA retreated from the treat of
lawsuit, fearing that the DMCA may have been stricken as constitutionally
overbroad when applied against a group of professors presenting an academic
paper. In June 2001, the Electronic Frontier Foundation (EFF) bought suit
against RIAA to obtain a declaratory judgment that Felten could present the
SDMI research. Additionally, EFF sought the invalidation of the DMCA as an
unconstitutional restriction on free expression. In August 2001, Felten presented
the SDMI paper at the USENIX conference. In November 2001, a Federal District
Court dismissed EFF's case. In February 2002, Felton decided not to appeal
the dismissal.

In Fall 2000, the 4C Entity, which is comprised of IBM, Intel, Matsushita,
and Toshiba, attempted to include Content Protection for Removable Media (CPRM)
in the standard for all ATA devices. The ATA standard encompasses hard drives,
cd-rom and cd-rw drives, flash memory, and other media storage devices. With
CPRM embedded in users' hardware, content producers would have the option
of enabling copy protection and hindering "unauthorized" use of files. In
February 2001, IBM decided to withdraw its call for CPRM in hard drives and
to limit the application of CPRM to only removable media, which includes flash
memory and other storage devices associated with digital cameras and MP3 players.

Rothken Law Firm.
Ira Rothken litigated DeLise v. Fahrenheit Entertainment, Sunncomm et
al., a challenge to the use of Digital Content Cloaking Technology that
requires the consumer to reveal her identity before gaining access to content.
The lawsuit was settled in February 2002. In the settlement, the defendants
agreed to provide better notice and the ability to download content without
requiring personal information.

CloneCD
will produce an exact copy of an original CD, thereby defeating copy protection
systems that include corrupt sectors on the CD.

DRM Developers

The following is a partial list of DRM systems that are available or under
development:

Internet Digital Rights Management
(IDRM). IDRM is an IRTF (Internet Research Task Force) Research Group formed
to research issue and technologies relating to Digital Rights Management
(DRM) on the Internet. The IRTF is a sister organization of the Internet
Engineering Task Force (IETF).